smartledger-bsv 3.4.4 → 4.0.0

package/docs/COVENANT_DEVELOPMENT_RESOLVED.md

@@ -136,9 +136,9 @@ node custom_script_signature_test.js
 ## 📦 Installation
 
 ```bash
-npm install smartledger-bsv@3.4.0
+npm install smartledger-bsv@4.0.0
 # or
-npm install @smartledger/bsv@3.4.4
+npm install @smartledger/bsv@4.0.0
 ```
 
 ## ✅ Verification Results

package/docs/MODULE_REFERENCE_COMPLETE.md

@@ -55,19 +55,19 @@ Three advanced modules totaling **~2.7MB** of functionality:
 - **Purpose**: Threshold cryptography for secure secret distribution
 - **Use Cases**: Backup keys, multi-party security, key recovery
 - **Features**: Split secrets into N shares, require M to reconstruct
-- **CDN**: `unpkg.com/@smartledger/bsv@3.4.4/bsv-shamir.min.js`
+- **CDN**: `unpkg.com/@smartledger/bsv@4.0.0/bsv-shamir.min.js`
 
 #### **🌐 Global Digital Attestation Framework - GDAF (1184KB)**  
 - **Purpose**: W3C Verifiable Credentials and decentralized identity
 - **Use Cases**: Identity verification, attestations, zero-knowledge proofs
 - **Features**: DID creation, credential issuance, selective disclosure
-- **CDN**: `unpkg.com/@smartledger/bsv@3.4.4/bsv-gdaf.min.js`
+- **CDN**: `unpkg.com/@smartledger/bsv@4.0.0/bsv-gdaf.min.js`
 
 #### **⚖️ Legal Token Protocol - LTP (1184KB)**
 - **Purpose**: Legal compliance framework for tokenized assets
 - **Use Cases**: Property rights, obligations, compliant tokenization  
 - **Features**: Legal primitives, compliance checking, attestation anchoring
-- **CDN**: `unpkg.com/@smartledger/bsv@3.4.4/bsv-ltp.min.js`
+- **CDN**: `unpkg.com/@smartledger/bsv@4.0.0/bsv-ltp.min.js`
 
 ### **2. Incorrect File Sizes in Documentation**
 
@@ -81,18 +81,18 @@ Three advanced modules totaling **~2.7MB** of functionality:
 
 | Module | Size | Use Case | CDN Link |
 |--------|------|----------|----------|
-| **bsv.min.js** | 937KB | Core BSV + SmartContract | `unpkg.com/@smartledger/bsv@3.4.4/bsv.min.js` |
-| **bsv.bundle.js** | 937KB | Everything in one file | `unpkg.com/@smartledger/bsv@3.4.4/bsv.bundle.js` |
-| **bsv-smartcontract.min.js** | 937KB | Covenant development | `unpkg.com/@smartledger/bsv@3.4.4/bsv-smartcontract.min.js` |
-| **bsv-covenant.min.js** | 913KB | Covenant operations | `unpkg.com/@smartledger/bsv@3.4.4/bsv-covenant.min.js` |
-| **bsv-script-helper.min.js** | 26KB | Custom script tools | `unpkg.com/@smartledger/bsv@3.4.4/bsv-script-helper.min.js` |
-| **bsv-security.min.js** | 26KB | Security enhancements (opt-in helpers — see README › Security) | `unpkg.com/@smartledger/bsv@3.4.4/bsv-security.min.js` |
-| **bsv-ecies.min.js** | 71KB | Encryption | `unpkg.com/@smartledger/bsv@3.4.4/bsv-ecies.min.js` |
-| **bsv-message.min.js** | 26KB | Message signing | `unpkg.com/@smartledger/bsv@3.4.4/bsv-message.min.js` |
-| **bsv-mnemonic.min.js** | 681KB | HD wallets | `unpkg.com/@smartledger/bsv@3.4.4/bsv-mnemonic.min.js` |
-| **🆕 bsv-shamir.min.js** | 432KB | **Secret sharing** | `unpkg.com/@smartledger/bsv@3.4.4/bsv-shamir.min.js` |
-| **🆕 bsv-gdaf.min.js** | 1184KB | **Digital attestation** | `unpkg.com/@smartledger/bsv@3.4.4/bsv-gdaf.min.js` |
-| **🆕 bsv-ltp.min.js** | 1184KB | **Legal tokens** | `unpkg.com/@smartledger/bsv@3.4.4/bsv-ltp.min.js` |
+| **bsv.min.js** | 937KB | Core BSV + SmartContract | `unpkg.com/@smartledger/bsv@4.0.0/bsv.min.js` |
+| **bsv.bundle.js** | 937KB | Everything in one file | `unpkg.com/@smartledger/bsv@4.0.0/bsv.bundle.js` |
+| **bsv-smartcontract.min.js** | 937KB | Covenant development | `unpkg.com/@smartledger/bsv@4.0.0/bsv-smartcontract.min.js` |
+| **bsv-covenant.min.js** | 913KB | Covenant operations | `unpkg.com/@smartledger/bsv@4.0.0/bsv-covenant.min.js` |
+| **bsv-script-helper.min.js** | 26KB | Custom script tools | `unpkg.com/@smartledger/bsv@4.0.0/bsv-script-helper.min.js` |
+| **bsv-security.min.js** | 26KB | Security enhancements (opt-in helpers — see README › Security) | `unpkg.com/@smartledger/bsv@4.0.0/bsv-security.min.js` |
+| **bsv-ecies.min.js** | 71KB | Encryption | `unpkg.com/@smartledger/bsv@4.0.0/bsv-ecies.min.js` |
+| **bsv-message.min.js** | 26KB | Message signing | `unpkg.com/@smartledger/bsv@4.0.0/bsv-message.min.js` |
+| **bsv-mnemonic.min.js** | 681KB | HD wallets | `unpkg.com/@smartledger/bsv@4.0.0/bsv-mnemonic.min.js` |
+| **🆕 bsv-shamir.min.js** | 432KB | **Secret sharing** | `unpkg.com/@smartledger/bsv@4.0.0/bsv-shamir.min.js` |
+| **🆕 bsv-gdaf.min.js** | 1184KB | **Digital attestation** | `unpkg.com/@smartledger/bsv@4.0.0/bsv-gdaf.min.js` |
+| **🆕 bsv-ltp.min.js** | 1184KB | **Legal tokens** | `unpkg.com/@smartledger/bsv@4.0.0/bsv-ltp.min.js` |
 
 ## 🎯 **Updated Usage Examples**
 
@@ -100,22 +100,22 @@ Three advanced modules totaling **~2.7MB** of functionality:
 
 #### **1. Basic Development (~963KB)**
 ```html
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.min.js"></script>
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-script-helper.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-script-helper.min.js"></script>
 ```
 
 #### **2. Smart Contract Development (~2.7MB — each bundle re-embeds core BSV)**
 ```html
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.min.js"></script>
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-covenant.min.js"></script>
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-smartcontract.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-covenant.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-smartcontract.min.js"></script>
 ```
 
 #### **3. 🆕 Legal & Compliance Development (~3.2MB — each bundle re-embeds core BSV)**
 ```html
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.min.js"></script>
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-ltp.min.js"></script>
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-gdaf.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-ltp.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-gdaf.min.js"></script>
 <script>
   // Legal Token Protocol
   const legalToken = bsv.createLegalToken({
@@ -132,9 +132,9 @@ Three advanced modules totaling **~2.7MB** of functionality:
 
 #### **4. 🆕 Security & Cryptography (~1.4MB)**
 ```html
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.min.js"></script>
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-security.min.js"></script>
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-shamir.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-security.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-shamir.min.js"></script>
 <script>
   // Shamir Secret Sharing
   const shares = bsv.splitSecret('my_secret_key', 5, 3); // 5 shares, 3 needed
@@ -146,7 +146,7 @@ Three advanced modules totaling **~2.7MB** of functionality:
 
 #### **5. Everything Bundle (937KB)**
 ```html
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.bundle.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.bundle.js"></script>
 <script>
   // Everything available immediately
   const shares = bsv.splitSecret('secret', 5, 3);

package/docs/advanced/UTXO_MANAGER_GUIDE.md

@@ -722,7 +722,7 @@ interface UTXO {
 <html>
 <head>
     <title>UTXO Manager Demo</title>
-    <script src="https://cdn.jsdelivr.net/npm/@smartledger/bsv@3.4.4/bsv.min.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/@smartledger/bsv@4.0.0/bsv.min.js"></script>
 </head>
 <body>
     <script>

package/docs/getting-started/INSTALLATION.md

@@ -12,10 +12,10 @@ SmartLedger-BSV offers multiple installation methods to suit different developme
 npm install @smartledger/bsv
 
 # Install specific version
-npm install @smartledger/bsv@3.4.4
+npm install @smartledger/bsv@4.0.0
 
 # Install with exact version lock
-npm install --save-exact @smartledger/bsv@3.4.4
+npm install --save-exact @smartledger/bsv@4.0.0
 ```
 
 ### **Usage in Node.js**
@@ -48,7 +48,7 @@ const tx: Transaction = new Transaction();
 #### **Core Library Only (937KB)**
 For basic Bitcoin SV operations:
 ```html
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.min.js"></script>
 <script>
   const privateKey = new bsv.PrivateKey();
   const address = privateKey.toAddress();
@@ -58,7 +58,7 @@ For basic Bitcoin SV operations:
 #### **Complete Bundle (937KB)**  
 Everything in one file:
 ```html
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.bundle.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.bundle.js"></script>
 <script>
   // All features available immediately
   const shares = bsv.splitSecret('secret', 5, 3);
@@ -71,9 +71,9 @@ Everything in one file:
 
 #### **Smart Contract Development (~2.7MB total — each bundle is self-contained and re-embeds core BSV)**
 ```html
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.min.js"></script>
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-covenant.min.js"></script>
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-smartcontract.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-covenant.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-smartcontract.min.js"></script>
 <script>
   const covenant = bsv.SmartContract.createCovenantBuilder()
     .extractField('amount').push(50000).greaterThanOrEqual().build();
@@ -82,9 +82,9 @@ Everything in one file:
 
 #### **Legal & Identity Development (~3.2MB total — each bundle is self-contained and re-embeds core BSV)**
 ```html
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.min.js"></script>
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-ltp.min.js"></script>
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-gdaf.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-ltp.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-gdaf.min.js"></script>
 <script>
   // Legal Token Protocol
   const propertyToken = bsv.createPropertyToken({
@@ -98,9 +98,9 @@ Everything in one file:
 
 #### **Security & Cryptography (~1.4MB total — each bundle is self-contained and re-embeds core BSV)**
 ```html
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.min.js"></script>
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-security.min.js"></script>
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-shamir.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-security.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-shamir.min.js"></script>
 <script>
   // Threshold Cryptography
   const shares = bsv.splitSecret('my_secret_key', 5, 3);
@@ -114,18 +114,18 @@ Everything in one file:
 
 | Module | Size | Purpose | CDN Link |
 |--------|------|---------|----------|
-| **bsv.min.js** | 937KB | Core BSV + SmartContract | `unpkg.com/@smartledger/bsv@3.4.4/bsv.min.js` |
-| **bsv.bundle.js** | 937KB | Everything in one file | `unpkg.com/@smartledger/bsv@3.4.4/bsv.bundle.js` |
-| **bsv-smartcontract.min.js** | 937KB | Complete covenant framework | `unpkg.com/@smartledger/bsv@3.4.4/bsv-smartcontract.min.js` |
-| **bsv-ltp.min.js** | 1184KB | **Legal Token Protocol** | `unpkg.com/@smartledger/bsv@3.4.4/bsv-ltp.min.js` |
-| **bsv-gdaf.min.js** | 1184KB | **Digital Identity & Attestation** | `unpkg.com/@smartledger/bsv@3.4.4/bsv-gdaf.min.js` |
-| **bsv-shamir.min.js** | 432KB | **Threshold Cryptography** | `unpkg.com/@smartledger/bsv@3.4.4/bsv-shamir.min.js` |
-| **bsv-security.min.js** | 26KB | Security enhancements (opt-in helpers — see README › Security) | `unpkg.com/@smartledger/bsv@3.4.4/bsv-security.min.js` |
-| **bsv-mnemonic.min.js** | 681KB | HD wallets | `unpkg.com/@smartledger/bsv@3.4.4/bsv-mnemonic.min.js` |
-| **bsv-ecies.min.js** | 71KB | Encryption | `unpkg.com/@smartledger/bsv@3.4.4/bsv-ecies.min.js` |
-| **bsv-covenant.min.js** | 913KB | Covenant operations | `unpkg.com/@smartledger/bsv@3.4.4/bsv-covenant.min.js` |
-| **bsv-script-helper.min.js** | 26KB | Custom script tools | `unpkg.com/@smartledger/bsv@3.4.4/bsv-script-helper.min.js` |
-| **bsv-message.min.js** | 26KB | Message signing | `unpkg.com/@smartledger/bsv@3.4.4/bsv-message.min.js` |
+| **bsv.min.js** | 937KB | Core BSV + SmartContract | `unpkg.com/@smartledger/bsv@4.0.0/bsv.min.js` |
+| **bsv.bundle.js** | 937KB | Everything in one file | `unpkg.com/@smartledger/bsv@4.0.0/bsv.bundle.js` |
+| **bsv-smartcontract.min.js** | 937KB | Complete covenant framework | `unpkg.com/@smartledger/bsv@4.0.0/bsv-smartcontract.min.js` |
+| **bsv-ltp.min.js** | 1184KB | **Legal Token Protocol** | `unpkg.com/@smartledger/bsv@4.0.0/bsv-ltp.min.js` |
+| **bsv-gdaf.min.js** | 1184KB | **Digital Identity & Attestation** | `unpkg.com/@smartledger/bsv@4.0.0/bsv-gdaf.min.js` |
+| **bsv-shamir.min.js** | 432KB | **Threshold Cryptography** | `unpkg.com/@smartledger/bsv@4.0.0/bsv-shamir.min.js` |
+| **bsv-security.min.js** | 26KB | Security enhancements (opt-in helpers — see README › Security) | `unpkg.com/@smartledger/bsv@4.0.0/bsv-security.min.js` |
+| **bsv-mnemonic.min.js** | 681KB | HD wallets | `unpkg.com/@smartledger/bsv@4.0.0/bsv-mnemonic.min.js` |
+| **bsv-ecies.min.js** | 71KB | Encryption | `unpkg.com/@smartledger/bsv@4.0.0/bsv-ecies.min.js` |
+| **bsv-covenant.min.js** | 913KB | Covenant operations | `unpkg.com/@smartledger/bsv@4.0.0/bsv-covenant.min.js` |
+| **bsv-script-helper.min.js** | 26KB | Custom script tools | `unpkg.com/@smartledger/bsv@4.0.0/bsv-script-helper.min.js` |
+| **bsv-message.min.js** | 26KB | Message signing | `unpkg.com/@smartledger/bsv@4.0.0/bsv-message.min.js` |
 
 ## ⚙️ **Development Environment Setup**
 

package/docs/getting-started/QUICK_START.md

@@ -14,10 +14,10 @@ npm install @smartledger/bsv
 ### Browser CDN (Instant)
 ```html
 <!-- Core library (937KB) -->
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.min.js"></script>
 
 <!-- Everything included (937KB) -->
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.bundle.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.bundle.js"></script>
 ```
 
 ## 💰 **Your First Transaction (60 seconds)**
@@ -127,19 +127,19 @@ SmartLedger-BSV offers 12 different loading options - use only what you need:
 
 ```html
 <!-- Core BSV only (937KB) -->
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.min.js"></script>
 
 <!-- Smart contracts (937KB) -->
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-smartcontract.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-smartcontract.min.js"></script>
 
 <!-- Legal tokens (1.16MB) -->
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-ltp.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-ltp.min.js"></script>
 
 <!-- Digital identity (1.16MB) -->
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-gdaf.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-gdaf.min.js"></script>
 
 <!-- Everything (937KB) -->
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.bundle.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.bundle.js"></script>
 ```
 
 ## ⚡ **Key Advantages**

package/docs/migration/FROM_BSV_1_5_6.md

@@ -159,17 +159,17 @@ const recovered = bsv.reconstructSecret([shares[0], shares[2], shares[4]]);
 ### **New Modular Options** 
 ```html
 <!-- Core compatibility (same size as bsv@1.5.6) -->
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.min.js"></script>
 
 <!-- Add smart contracts when ready -->
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-smartcontract.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-smartcontract.min.js"></script>
 
 <!-- Add advanced features as needed -->
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-ltp.min.js"></script>
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv-gdaf.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-ltp.min.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv-gdaf.min.js"></script>
 
 <!-- Everything in one file -->
-<script src="https://unpkg.com/@smartledger/bsv@3.4.4/bsv.bundle.js"></script>
+<script src="https://unpkg.com/@smartledger/bsv@4.0.0/bsv.bundle.js"></script>
 ```
 
 ## 🔍 **Testing Your Migration**

package/lib/crypto/ecdsa.js

@@ -172,30 +172,27 @@ ECDSA.prototype.sigError = function () {
     return 'hashbuf must be a 32 byte buffer'
   }
 
-  // === SmartLedger Security Patches ===
-  // Apply security validation during cryptographic verification
   var r = this.sig.r
   var s = this.sig.s
   var n = Point.getN()
 
   try {
-    // Fix 1 & 2: Enhanced range validation
-    if (r.isZero() || s.isZero() || r.gte(n) || s.gte(n)) {
+    // Reject out-of-range r, s: both must lie in [1, n-1]. lte(0) covers
+    // negative and zero values; gte(n) covers anything at or above the order.
+    if (r.lte(BN.Zero) || s.lte(BN.Zero) || r.gte(n) || s.gte(n)) {
       return 'r and s not in range'
     }
 
-    // Fix 3: Handle canonicalization properly
-    // For verification, we need to try both the original s and canonical s
-    // This handles both pre-canonicalized signatures and non-canonical ones
-    var nh = n.shrn(1) // n/2
-    var canonicalS = s.gt(nh) ? n.sub(s) : s
-
     var e = BN.fromBuffer(this.hashbuf, this.endian ? {
       endian: this.endian
     } : undefined)
 
-    // Try verification with canonical s
-    var sinv = canonicalS.invm(n)
+    // Standard ECDSA verification. This accepts both (r, s) and (r, n - s):
+    // ECDSA is inherently malleable in s, and verifying the canonical form
+    // yields the same accept/reject as verifying s directly, so there is no
+    // need to canonicalize or retry here. Low-S is enforced at *signing* time
+    // (see ECDSA.toLowS), which is where malleability protection belongs.
+    var sinv = s.invm(n)
     var u1 = sinv.mul(e).umod(n)
     var u2 = sinv.mul(r).umod(n)
 
@@ -205,23 +202,9 @@ ECDSA.prototype.sigError = function () {
     }
 
     if (p.getX().umod(n).cmp(r) !== 0) {
-      // If canonical verification failed and s was already canonical, 
-      // try with the non-canonical version (for backwards compatibility)
-      if (s.lte(nh)) {
-        var nonCanonicalS = n.sub(s)
-        sinv = nonCanonicalS.invm(n)
-        u1 = sinv.mul(e).umod(n)
-        u2 = sinv.mul(r).umod(n)
-        
-        p = Point.getG().mulAdd(u1, this.pubkey.point, u2)
-        if (!p.isInfinity() && p.getX().umod(n).cmp(r) === 0) {
-          return false  // Verification succeeded with non-canonical s
-        }
-      }
       return 'Invalid signature'
-    } else {
-      return false  // Verification succeeded with canonical s
     }
+    return false
   } catch (error) {
     return 'Signature security validation failed: ' + error.message
   }

package/lib/ecies/electrum-ecies.js

@@ -163,7 +163,18 @@ ECIES.prototype.decrypt = function (encbuf) {
   var hmac2 = Hash.sha256hmac(encbuf.slice(0, encbuf.length - tagLength), this.kM)
   if (this.opts.shortTag) hmac2 = hmac2.slice(0, 4)
 
-  if (!hmac.equals(hmac2)) {
+  // Constant-time tag comparison. Buffer.equals() short-circuits on the first
+  // differing byte, which leaks how many leading bytes matched and enables a
+  // forgery oracle on the MAC; compare every byte unconditionally instead
+  // (mirrors the loop in bitcore-ecies.js).
+  if (hmac.length !== hmac2.length) {
+    throw new errors.DecryptionError('Invalid checksum')
+  }
+  var equal = 0
+  for (var i = 0; i < hmac2.length; i++) {
+    equal |= (hmac[i] ^ hmac2[i])
+  }
+  if (equal !== 0) {
     throw new errors.DecryptionError('Invalid checksum')
   }
 

package/lib/gdaf/attestation-signer.js

@@ -49,14 +49,49 @@ function AttestationSigner(privateKey, options) {
   return this
 }
 
+/**
+ * Recursively produce a value with all object keys sorted, so that
+ * JSON.stringify yields a deterministic, fully-covering serialization.
+ *
+ * IMPORTANT: this replaces a previous implementation that called
+ * `JSON.stringify(obj, Object.keys(obj).sort())`. That used the JSON.stringify
+ * *replacer array* form, which whitelists keys at EVERY nesting level to the
+ * top-level key set. The result was that nested objects (notably
+ * `credentialSubject`) serialized to `{}` and were therefore NOT covered by the
+ * signature -- a forger could rewrite the subject's claims without invalidating
+ * the proof. This recursive sort includes every key at every depth.
+ *
+ * Note: keys are ordered with Array.prototype.sort (UTF-16 code-unit order) and
+ * inserted in that order. Credential keys are non-integer strings, so insertion
+ * order is preserved by JSON.stringify; do not feed integer-like keys here.
+ *
+ * @param {*} value - Value to canonicalize
+ * @returns {*} Value with all nested object keys sorted
+ * @private
+ */
+AttestationSigner._sortValue = function(value) {
+  if (Array.isArray(value)) {
+    // Arrays are order-significant: preserve order, canonicalize each element.
+    return value.map(function(item) { return AttestationSigner._sortValue(item) })
+  }
+  if (value !== null && typeof value === 'object') {
+    return Object.keys(value).sort().reduce(function(sorted, key) {
+      sorted[key] = AttestationSigner._sortValue(value[key])
+      return sorted
+    }, {})
+  }
+  // Primitives (string, number, boolean, null) are returned unchanged.
+  return value
+}
+
 /**
  * Create canonical JSON string for signing
  * @param {Object} obj - Object to canonicalize
  * @returns {String} Canonical JSON string
  */
 AttestationSigner._canonicalizeJSON = function(obj) {
-  // Use deterministic JSON serialization
-  return JSON.stringify(obj, Object.keys(obj).sort())
+  // Deterministic serialization that covers every nested key at every depth.
+  return JSON.stringify(AttestationSigner._sortValue(obj))
 }
 
 /**

package/lib/gdaf/attestation-verifier.js

@@ -251,6 +251,16 @@ AttestationVerifier._validateStructure = function(credential) {
  * Verify credential signature
  * @private
  */
+AttestationVerifier._normalizeDID = function(issuer) {
+  // W3C VC allows `issuer` to be a DID string or an object with an `id`.
+  var did = (issuer && typeof issuer === 'object') ? issuer.id : issuer
+  if (typeof did !== 'string' || did.length === 0) {
+    return null
+  }
+  // Strip any fragment so `did:...#keys-1` compares equal to `did:...`.
+  return did.split('#')[0]
+}
+
 AttestationVerifier._verifySignature = async function(credential) {
   try {
     var proof = credential.proof
@@ -273,7 +283,22 @@ AttestationVerifier._verifySignature = async function(credential) {
     // Extract DID from verification method
     var verificationMethod = proof.verificationMethod
     var did = verificationMethod.split('#')[0]
-    
+
+    // Bind the signing key to the claimed issuer. Without this, a valid
+    // signature from ANY DID is accepted while `credential.issuer` names a
+    // different (e.g. trusted) authority -- an issuer-spoofing forgery. The
+    // DID that owns the verificationMethod MUST equal the credential issuer.
+    var issuerDID = AttestationVerifier._normalizeDID(credential.issuer)
+    if (!issuerDID) {
+      return { valid: false, errors: ['Missing or invalid credential issuer'] }
+    }
+    if (issuerDID !== did) {
+      return {
+        valid: false,
+        errors: ['Verification method DID (' + did + ') does not match credential issuer (' + issuerDID + ')']
+      }
+    }
+
     // Get public key from DID
     var publicKey = DIDResolver.getPublicKey(did)
     
@@ -292,9 +317,12 @@ AttestationVerifier._verifySignature = async function(credential) {
     ecdsa.hashbuf = credentialHash
     ecdsa.pubkey = publicKey
     ecdsa.sig = signature
-    
-    var valid = ecdsa.verify()
-    
+
+    // NOTE: ECDSA.prototype.verify() returns the ECDSA *instance* (always
+    // truthy), not a boolean. Read the `.verified` flag, otherwise every
+    // structurally-valid proof passes regardless of the actual signature.
+    var valid = ecdsa.verify().verified
+
     if (valid) {
       return {
         valid: true,
@@ -355,9 +383,11 @@ AttestationVerifier._verifyPresentationSignature = async function(presentation)
     ecdsa.hashbuf = presentationHash
     ecdsa.pubkey = publicKey
     ecdsa.sig = signature
-    
-    var valid = ecdsa.verify()
-    
+
+    // ECDSA.prototype.verify() returns the instance, not a boolean — read
+    // `.verified` (see _verifySignature).
+    var valid = ecdsa.verify().verified
+
     return {
       valid: valid,
       errors: valid ? [] : ['Presentation signature verification failed']
@@ -392,10 +422,18 @@ AttestationVerifier._validateIssuer = async function(credential, options) {
       return { valid: false, errors: errors }
     }
     
-    // Check if issuer is in trusted list
+    // Enforce the trusted-issuer allow-list when one is supplied. Previously a
+    // non-member only produced a warning, so `trustedIssuers` provided no
+    // actual enforcement and any resolvable DID was accepted. Comparison is
+    // done on normalized DIDs so fragment/object issuer forms match.
     if (options.trustedIssuers && Array.isArray(options.trustedIssuers)) {
-      if (!options.trustedIssuers.includes(issuer)) {
-        warnings.push('Issuer not in trusted list')
+      var issuerDID = AttestationVerifier._normalizeDID(issuer)
+      var trusted = options.trustedIssuers
+        .map(function(t) { return AttestationVerifier._normalizeDID(t) })
+        .filter(Boolean)
+      if (!issuerDID || trusted.indexOf(issuerDID) === -1) {
+        errors.push('Issuer not in trusted list')
+        return { valid: false, errors: errors, warnings: warnings }
       }
     }
     

package/lib/script/script.js

@@ -334,6 +334,25 @@ Script.prototype.isPublicKeyHashOut = function () {
     this.chunks[4].opcodenum === Opcode.OP_CHECKSIG)
 }
 
+/**
+ * @returns {boolean} true if the FIRST five chunks are a P2PKH pattern, regardless
+ *   of any trailing chunks. Matches 1Sat Ordinals (P2PKH + `OP_FALSE OP_IF "ord" …
+ *   OP_ENDIF`), MAP+BAP-style appended metadata, sCrypt covenants with a P2PKH
+ *   spendable guard, etc. The strict `isPublicKeyHashOut()` is unchanged so
+ *   address derivation / script classification keep their canonical semantics;
+ *   this loose check is used by `Transaction.from()` so spending such outputs
+ *   via the high-level API Just Works.
+ */
+Script.prototype.isPublicKeyHashOutPrefix = function () {
+  return !!(this.chunks.length >= 5 &&
+    this.chunks[0].opcodenum === Opcode.OP_DUP &&
+    this.chunks[1].opcodenum === Opcode.OP_HASH160 &&
+    this.chunks[2].buf &&
+    this.chunks[2].buf.length === 20 &&
+    this.chunks[3].opcodenum === Opcode.OP_EQUALVERIFY &&
+    this.chunks[4].opcodenum === Opcode.OP_CHECKSIG)
+}
+
 /**
  * @returns {boolean} if this is a pay to public key hash input script
  */

package/lib/transaction/input/publickeyhash.js

@@ -34,7 +34,12 @@ PublicKeyHashInput.prototype.getSignatures = function (transaction, privateKey,
   hashData = hashData || Hash.sha256ripemd160(privateKey.publicKey.toBuffer())
   sigtype = sigtype || (Signature.SIGHASH_ALL | Signature.SIGHASH_FORKID)
 
-  if (hashData.equals(this.output.script.getPublicKeyHash())) {
+  // The dispatcher (Transaction._fromNonP2SH) may have routed a "P2PKH +
+  // trailing data" script here via isPublicKeyHashOutPrefix() — in which
+  // case the strict getPublicKeyHash() would throw. Read the 20-byte hash
+  // directly from chunks[2] (validated by the prefix check at dispatch).
+  var scriptPkh = this.output.script.chunks[2] && this.output.script.chunks[2].buf
+  if (scriptPkh && hashData.equals(scriptPkh)) {
     return [new TransactionSignature({
       publicKey: privateKey.publicKey,
       prevTxId: this.prevTxId,

package/lib/transaction/transaction.js

@@ -549,7 +549,11 @@ Transaction.prototype.from = function (utxo, pubkeys, threshold) {
 Transaction.prototype._fromNonP2SH = function (utxo) {
   var Clazz
   utxo = new UnspentOutput(utxo)
-  if (utxo.script.isPublicKeyHashOut()) {
+  // Use the loose P2PKH check so 1Sat Ordinal outputs (P2PKH + inscription
+  // envelope) and other "P2PKH + trailing data" patterns dispatch to the
+  // signing-capable subclass instead of falling through to the abstract
+  // base Input. See Script.prototype.isPublicKeyHashOutPrefix.
+  if (utxo.script.isPublicKeyHashOutPrefix()) {
     Clazz = PublicKeyHashInput
   } else if (utxo.script.isPublicKeyOut()) {
     Clazz = PublicKeyInput

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "smartledger-bsv",
-  "version": "3.4.4",
+  "version": "4.0.0",
   "description": "🚀 Complete Bitcoin SV development framework with legally-recognizable DID:web + W3C VC-JWT toolkit, Legal Token Protocol (LTP), Global Digital Attestation Framework (GDAF), StatusList2021 revocation, and 16 flexible loading options. Standards-based credentials with ES256/ES256K support, on-chain BSV anchoring, and comprehensive Bitcoin SV API. Perfect for legal tokens, verifiable credentials, DeFi, smart contracts, and secure Bitcoin applications.",
   "author": "SmartLedger Technology <hello@smartledger.technology> (https://smartledger.technology)",
   "homepage": "https://github.com/codenlighten/smartledger-bsv#readme",
@@ -74,7 +74,6 @@
     "lib/",
     "utilities/*.js",
     "utilities/README.md",
-    "utilities/wallet.json",
     "ecies/",
     "message/",
     "mnemonic/",
@@ -132,7 +131,6 @@
     "debug-tools",
     "modular-loading",
     "standalone-modules",
-    "security-hardened",
     "elliptic-curve-fix",
     "smartledger",
     "transaction",
@@ -184,7 +182,6 @@
     "webpack-ready",
     "cdn-ready",
     "typescript-definitions",
-    "vulnerability-free",
     "drop-in-replacement",
     "performance-optimized",
     "bip21",